I´m using a SSG140 6.3.0r17.0 and a customer is asking to establish a VPN using Cisco ASA 5545. He provided me as a proxy id, 10 networks as his local IP and 15 addresses /32 that I´ll have to NAT my servers IP. As long as there is a security association for every proxy-id, in this scenario, is there a way set up a VPN that will not consume 10 x 15 SA?
I was trying to understand if te previous way mentioned, using policy based VPN, will use less SA and permit NAT to my source IP.
No, the number of SA required are strictly determined by the number of ip address pairs needed for the vpn traffic to be sent.
If both sides are Juniper then you have the option of using open proxy-id pair 0.0.0.0/0 to 0.0.0.0/0 by default when creating a route based vpn on both sides. This works with both ScreenOS or Junos.
Nat can be applied only on route based vpn. So you could nat a number of subnets behind a nat and reduce the proxy-id pair. In that case the ip address you use for nat is then used for the local side of the the pair and you drop all the subnets that are nated behind that address.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home